This threat describes a multistage malware campaign targeting Minecraft users, distributed via the Stargazers Ghost Network on GitHub. The attackers distribute fake Minecraft mods and cheats that impersonate popular legitimate mods, leveraging the widespread popularity of Minecraft to propagate malware. The infection chain consists of multiple stages: initially, a Java-based downloader (loader) is executed, which evades detection mechanisms. This loader subsequently downloads and executes a Java stealer component, followed by a .NET stealer module. These components work together to exfiltrate sensitive user data, including gaming credentials, browser data, cryptocurrency wallets, and other personal information. The malware uses techniques such as code obfuscation and multi-stage loading to avoid detection and analysis. The campaign is attributed to a likely Russian origin and has recorded over 1500 potential infections based on Pastebin activity. Indicators of compromise include multiple file hashes and IP addresses linked to Russian and Bulgarian networks. The malware employs tactics consistent with known MITRE ATT&CK techniques such as credential dumping (T1555), input capture (T1056.001), command and scripting interpreter usage (T1059.007), data from local system (T1005), and obfuscated files or information (T1027). The campaign highlights the risks posed by malicious actors exploiting gaming communities and third-party mod distribution platforms, especially those hosted on public repositories like GitHub.

For European organizations, the primary impact is indirect but significant. While the malware targets individual gamers, stolen credentials and browser data can lead to broader security incidents if users reuse passwords or access corporate resources from compromised devices. Cryptocurrency wallets theft can result in direct financial losses for affected individuals. Additionally, compromised gaming devices connected to corporate networks could serve as footholds for lateral movement or data exfiltration. The campaign also poses reputational risks for organizations involved in gaming, software development, or digital entertainment sectors. Given the malware's ability to steal sensitive information, there is a risk of privacy violations under GDPR if personal data of EU citizens is compromised. The infection vector via GitHub also raises concerns about supply chain security and the integrity of software repositories used by European developers and users.

Implement strict controls on software installation policies, especially restricting the installation of unofficial or third-party Minecraft mods from unverified sources such as GitHub repositories not officially endorsed by Minecraft or Mojang. Deploy endpoint detection and response (EDR) solutions capable of detecting multi-stage Java and .NET malware behaviors, including suspicious downloader activity and credential theft patterns. Educate users, particularly younger gamers and their guardians, about the risks of downloading mods from unofficial sources and encourage use of official mod repositories or verified platforms. Monitor network traffic for connections to known malicious IP addresses associated with this campaign (e.g., 147.45.79.104 and 185.95.159.125) and block or alert on suspicious outbound connections. Enforce multi-factor authentication (MFA) on all gaming accounts and related services to reduce the impact of stolen credentials. Regularly audit and update antivirus and antimalware signatures to include detection for the hashes provided in the indicators of compromise. Encourage users to segregate gaming activities from corporate environments, ideally using separate devices or virtual machines to prevent cross-contamination. Implement browser security measures such as credential vaulting and anti-phishing protections to mitigate browser data theft. Monitor Pastebin and similar platforms for indicators of compromise or signs of data leakage related to this campaign. Engage with GitHub security teams to report and request takedown of malicious repositories associated with the Stargazers Ghost Network.